search

silverstripe / silverstripe-framework

Silverstripe Framework, the MVC framework that powers Silverstripe CMS
https://www.silverstripe.org
BSD 3-Clause "New" or "Revised" License
721 stars 821 forks source link

DBField constructor input validation #8676

Open dnsl48 opened 5 years ago

dnsl48 commented 5 years ago

Affected Version

SilverStripe 4.x

Description

DBField constructor does not validate input properly which may potentially lead to bugs in resulting SQL queries.

Steps to Reproduce

new \SilverStripe\ORM\FieldType\DBVarchar('mychar"');

Related PRs

ScopeyNZ commented 5 years ago

Re-triaged as low. This is more like a developer aid right? It's unlikely you'll be creating a DBField with some constructed field name?

ScopeyNZ commented 5 years ago

I suppose it makes sense that we validate carefully around this part of the system (SQL). I'll restore the original impact.